The Personal Data Protection Bill, 2019 is silent on the aspect of retrospective applicability, i.e. applicability of its provisions on such data that was collected prior to the enforcement of this legislation. However, the Report of the Justice Srikrishna Committee that accompanied the draft Bill, explicitly suggested that the provisions of the Bill shall not have retrospective effect on the personal data processed by data fiduciaries and processors prior to the enactment of the Bill.
However, it should be noted that since the term ‘processing’ covers within its ambit even storage, recording, collection or retrieval and since such processing is an ongoing activity, the Bill would essentially be applicable to personal data collected prior to the Bill coming into force. Consequently, it may be inferred that it shall be applicable to such data that is under process at the time of enforcement of the Bill, and the data fiduciaries shall be required to comply with such provisions in reference to the ongoing processing activity, accordingly.
If the Bill is made applicable to the processing of personal data retrospectively, the financial services sector at large would be affected extensively. This is owing to the fact that the explicit requirement of ‘consent’ would not be fulfilled in entirety for obligations fulfilled in the past. For instance, umbrella clauses that implicitly obtain the consent of the data principals to process their personal data for ‘indeterminate purposes’ along with the use of terms like ‘irrevocable’, is the preexisting practice as regards the consent of an individual is concerned. However, this is against the conditions of a valid consent laid down under the Bill whereby the consent shall be deemed valid only when it is free, informed, specific, clear, and revocable.
In consideration of the above, the applicability of the PDP Bill to ongoing processing activities shall essentially include all retained data of the data principals, since ‘storage of data’ is a subset of processing and banks are under an obligation to retain such data in light of the RBI regulations and other applicable laws. This may lead to a consent fatigue on the part of the customers since continuous and ad-hoc express consents may be required to be obtained from the customers following potential renegotiations of all concluded and effective contracts.
Ergo, it is suggested that the legislative body may consider amending the existing provisions of the Bill to exclude the requirement of consent for the processing of data collected prior to the enforcement of the Bill since processing is deemed to be a continuous act. It should be applied only to such data that is proposed to be processed for newly defined purposes. In this regard, it ought to be noted that if such pre-acquired data is stored offline, it would require a huge investment of time, money and effort to create its virtual database, or if it is stored on vintage/legacy systems, the task of importing such data may deem impossible. If such chronicle nexus for the effectiveness of the Bill is not established, its provision might unduly prejudice businesses.
Existing Confidentiality Principles in the Banking Sector
The principles of the confidentiality and regulatory compliances adhered to by financial entities under Sections 45C, 45D, 45E, Reserve Bank of India Act, 1934 and Sections 19, 20, 21, 22 and 23, Credit Information Companies (Regulation) Act, 2005, sectoral guidelines promulgated thereunder may cut across these rules significantly post-enactment of the PDPB, thereby undermining the existing processes with a little beneficial outcome from the customer’s perspective.
For instance, API-based banking services, a contemporary development in the Fintech sector, is regulated by the RBI’s account aggregator (RBI-AA) framework which prescribes detailed data protection requirements through explicit consent and strict restrictions on storage, sharing, access, etc. of data.
The PDP Bill would bring in similar data protection requirements, by addressing issues such as inadequate customer consent and sharing of plain-text data, enabling the exercise of data principal rights, and revamping contracts to specify controller-processor obligations, purposes, erasure periods, etc. Wherefore, the introduction of consent managers shall additionally allow users to communicate with data fiduciaries to exercise their rights under the Bill, a practice not permitted under the aforesaid RBI-AA framework. This, however, is suggestive of an amendment to be considered so as to avoid forcing customers to have to rely on aggregators for managing consent as well as a consent manager to exercise their rights.
Further, the creation of a new Data Protection Authority (DPA) under the Bill, with extravagant powers and the imposition of blanket provisions without adequate consideration of its impact on the financial sector, may lead to a regulatory overlap with the existing bodies that supervise financial entities in the country currently, including the RBI, SEBI, IRDAI, etc. Such regulated entities are required by these sectoral regulators to collect certain personal data as part of their KYC processes and to prevent money laundering or tax evasion.
Such personal data is mandatorily required to be collected under law, so the protections of notice, consent, etc. are implied or meaningless for such processing. Further, since such data is required to be retained so long as the customer relationship exists and for a certain period thereafter under the PMLA Rules, Banking Companies (PPR) Rules, SEBI (LODR) Regulations, KYC norms, IRDAI Guidelines issued by various sectoral regulators, and hence, there is no question of erasure of such personal data.
Wherefore it would be essential to ensure that the operations of PDPB 2019 do not cause impediments on the functioning of the pre-established sectoral rules, and a working group is established for harmonizing the authority of these bodies. Alternatively, Section 2 of the PDP Bill, 2019 be amended to exclude the processing of personal data by regulated entities in terms of the relevant sectoral regulations. Furthermore, the relevant sectoral regulator may specify any modes/purposes for which such data may be processed. This will also ensure that there are no conflicts between the law as laid down by different regulatory bodies and under the 2019 Bill.
Rights of Data Principals
The Data Principals have been guaranteed certain rights with respect to their personal data collected and processed by data fiduciaries, under the 2019 Bill. These include their right to confirmation/access, correction/erasure, data portability, etc. Retrospective applicability of these provisions may have a significant impact on the banks since banks shall have to retain all old processing records (both online and offline) of such personal data, as against their obligation of deletion of such data on the completion of the processing requirement under the Bill.
An inherent contradiction exists in the Bill regarding the requirement to inform data principal of past processing since, under Section 17, the data principal has the right to seek details from the data fiduciary about the past processing of personal data by such data fiduciary. However, Section 9 puts an obligation on the data fiduciary to only retain personal data for the period necessary to process it and to delete it after this period. If the data fiduciary has complied with its obligations under Section 9, then it would have deleted the personal data and would not be able to provide the details of past processing as required under Section 17.
Accordingly, Section 17 ought to be made subject to Section 9(1) where the data principal shall not have the right to obtain the information which was processed in the past by the data fiduciary, which would be required to be deleted to comply with its obligation under Section 9(1).
In the case of offline records or records maintained in legacy systems, significant time, money and effort would have to be spent to bring them online so as to enable Data Principals to exercise their rights under Chapter V with respect to such data. Further, under Section 17(3) of the Bill, the data principals shall have a right to access the identities of all data fiduciaries with whom their personal data has been disclosed, and the categories of the personal data shared with them.
Compliance with this requirement would prove to be a cumbersome and expensive exercise for the data fiduciary, and it might even be impossible to comply with such requirement for the data that was collected before the Bill came into effect since such record of persons to whom data was shared may not have been maintained. Wherefore, the rights of the data principal under Chapter V should apply only to personal data collected after the Bill has come into force.
Therefore, the compliance to the provisions of the PDP Bill, 2019 necessitates certain structural changes required in the organizations of the data fiduciaries, such as the requirement of upgrading and interlinking technologies and internal systems as well as the amendment of customer documentation to comply with the consent framework, etc., for which reasons it is essential that the 2019 Bill be enforced in a phased manner via the introduction of staggered provisions to ensure the seamless application of the law.
- A Free and Fair Digital Economy Protecting Privacy, Empowering Indians: Committee of Experts under the Chairmanship of Justice B.N. Srikrishna.
- Analysis of the New Data Protection Law proposed in India, Nishith Desai Associates.
- ASIFMA comments on Ministry of Electronics and Information Technology (MEITY) additional consultation on the Personal Data Protection Bill (PDPB), August 2019.
- Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, Reserve Bank of India.
- Impact of the Data Protection Bill on Fintech Sector and Aligning Financial Laws with It, Medianama.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: